Hi Niko, On Thursday 4 September 2008 07:15, Niko Tyni wrote:
> I just noticed the CGIWrap upstream homepage at > http://cgiwrap.sourceforge.net/ has this security notice: > > CGIWrap 4.1 update protects against a cross-site scripting vulnerability > in the error page handling due to how some browsers behave when a > charset is not specified. CGIWrap now sets a default charset and allows > overriding it during the configure process. > > Advisories: > > * http://jvn.jp/en/jp/JVN45389864/index.html (English) > * http://jvn.jp/jp/JVN45389864/index.html (Japanese) > > This is CVE-2008-2852. I haven't actually verified it in the Debian > version, but pre-4.1 versions are listed as vulnerable. This includes > the version in Etch. Indeed. Unfortunately I couldn't find specifics on how this is exploited. Still, judging from the description the impact seems to be limited: only some charsets and a specific browser are affected. Plus, the patch is not really adequate since it compiles in the charset. I don't think we should be issuing a DSA for this issue. > I'm not sure about the severity, CC'ing the security team. Note that > this package is orphaned and the last maintainer upload was in 2005. > It might make sense to remove the package from lenny. Yes, I think so. Can you take care of that? Thijs
pgpasDoYpvUsf.pgp
Description: PGP signature

